SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for mantisbt-2.26.0-1.3.noarch.rpm :

* Fri Nov 10 2023 Johannes Weberhofer - Feature and maintenance release. Dropping support for PHP 7.1 and older, the earliest supported PHP version is now 7.2.5. New configuration options were added to control access to Export and Print Report features (see #0022224). The default value for the latter was set to UPDATER for security reasons (see [#0025492]); to restore earlier behavior, administrators should set $g_print_reports_threshold = VIEWER;.
* administration - Add admin check to detect users without e-mail address when allow_empty_email = OFF #0032940 - \"Copy Categories From\" copies global categories #0030812 - Detect invalid HTML in language strings #0030447 - Disallow setting logging options in database #0032926 - Do not buffer output for CLI scripts #0028963 - Facilitate identification of user accounts sharing the same email #0032787 - Filter settings are not available on \"Workflow Thresholds\" page #0029269 - Improve handling of project assignment in manage_user_edit_page.php #0028122 - Inconsistent use of hyperlink instead of button to edit Custom Fields in Edit Project page #0028557 - Incorrect filtering of users on Manage Project / Accounts #0028606 - Language checks should warn about languages not defined in config [#0029026] - Not able to update existing user accounts if $g_email_ensure_unique == ON #0020647 - Outdated PostgreSQL version information in Admin Checks #0028528 - PHP errors triggered by Admin Checks cause silent failure #0033010 - Project Edit Page improvements #0030551 - Undefined constant ERROR_VERSION_NO_ACTION and missing matching error message #0028562 - Using MySQL 8.0 gives warning in admin checks #0028525 - Utility to copy attachments from File to Database #0004993
* api rest - Add REST API for setting config options that are settable via database #0032258 - Allow REST API to run on PHP 8.1 without squelching E_DEPRECATED notices #0032866 - Can not get userid from another user with REST API #0027128 - change username via rest api #0027130 - Deleting a user should revoke #0032246 - Get Project Issues returns html if user doesn\'t have access to project #0032249 - Get Project REST API returns html if user doesn\'t have access #0032248 - Missing PHPUnit tests for Projects REST API endpoints #0032864 - REST and SOAP APIs fail to report that Mantis is offline #0033023 - REST API: Add API to Get / Delete / Update versions #0030415 - REST API Create Project API requires administrator rather than create_project_threshold #0032237 - REST API Create Project doesn\'t trigger EVENT_MANAGE_PROJECT_CREATE plugin event #0032236 - REST API: Create Project User #0032466 - REST API: Delete Project User #0032467 - REST API errors when attempting to add or delete issue relationships #0032835 - REST API for creating API tokens for users #0032245 - REST API for deleting API token #0032247 - REST API: Project Add API to return information about added version #0032445 - REST API: Support Get User By ID #0032356 - REST API: Support impersonation of users #0032469 - REST API: Support select for fields to return when getting user info #0032357 - REST API unit test incorrectly failing with anonymous user #0032804 - REST API: Update Project User #0032468 - REST API: User Update API #0032465 - Status codes returned by REST API delete operations are not consistent #0032858 - Support retrieving users with specified access level to a project #0022791 - Support selecting which fields to retrieve for an issue #0032331 - To move a user to disabled #0024757 - Update Guzzle to 7.8.0 #0032807 - Update postman collection #0030908 - Update Slim Framework to 3.12.5 #0033018
* api soap - phpunit FilterTest fail if there are more than 50 issues in the tracker #0017121 - PHPUnit SOAP API tests trigger syntax error when extension is not loaded #0032814 - SOAP API Create Project API requires administrator rather than create_project_threshold #0032234 - SOAP API Create Project doesn\'t trigger EVENT_MANAGE_PROJECT_CREATE plugin event #0032235 - SOAP API mc_project_get_users doesn\'t enforce access check #0030907
* attachments - Show issue attachments along with issue header information #0028965
* authentication - Login redirection to plugin credentials page for non-existent user #0029517
* bugtracker - Access Restrictions to \"Print Reports\", \"CSV Export\", \"Excel Export\" in view all bugs page #0022224 - collapse_settings cookie is hardcoded #0029616 - Cookies \"SameSite\" attribute triggers warnings in Firefox console #0029611 - Incorrect use of mb_strimwidth() to truncate old/new values in history API #0032385 - Issues should have canonical meta tag #0031833 - \"Operation successful.\" message page slows down interaction #0005189 - PHP 8.2 support #0032027 - print_form_button() generates bad security token name for plugin action page #0028533
* change log - Changelog/Roadmap items are printed without any structure #0030192
* code cleanup - Avatar::get() returns Avatar instance, but phpdoc indicates it returns array #0032978 - Calling user_get_field() with non-existing user throws incorrect warning #0028119 - Create ProjectAddCommand #0032231 - Create ProjectDeleteCommand #0032232 - Create ProjectUpdateCommand #0032238 - Duplicated code in email API #0032382 - Implement UserUpdateCommand #0032464 - Invalid HTML in manage_user_edit_page.php #0028114 - Remove deprecated function db_prepare_string() #0032704 - Remove function check_php_version() #0032714 - Remove PHP < 5.4 compatibility code from user_get_all_accessible_projects() #0028830 - Remove unnecessary check on Version Id #0032831 - Remove version_cache_row()\'s 2nd parameter #0032832 - Removing unused CUSTOM_FIELD_TYPE_xxx constants #0030278 - Unneeded PHP version checks #0032901 - Use range() function instead of string increment #0032735
* db mssql - APPLICATION ERROR 0000401 / Error MSSQL 4145 when view all bugs for 1000 projects or more #0028902 - Impossible to insert child records with ADOdb 5.21.0 on mssql #0028068
* db mysql - Problem in the download process #0033031
* db postgresql - PHP notices leading to unusable system with ADOdb 5.21.0 on pgsql #0028069
* db schema - Update ADOdb to 5.22.5 #0032028
* documentation - Admin Guide lists incorrect/incomplete/obsolete required PHP extensions #0027793 - Developers Guide PHPUnit section is out of date #0032806 - Development Guide - Chapter 4. Plugin System - Errors in text #0021657 - Documentation: Hooking events declared by other plugins #0032504 - Duplicated REST API endpoint GET /issues in Postman documentation #0033003 - Mantis version visible in REST API request headers even when $g_show_version is OFF #0033017 - Using Docker to build Documentation #0031993
* email - Missing In-Reply-To header in new bugnote email notification #0032038 - monitor receives no mails if he is not project member #0029454 - Support for sending emails with CC and/or BCC #0029583 - Unable to set the In-Reply-To header to a domain different from the current one #0029585 - Update PHPMailer to 6.8.0 #0029025
* filters - Filtering on \"projection\" field is missing #0032726 - Saving a filter triggers deprecated warning on PHP 8.2 #0032734
* html - Closing
tag missing in sign up page #0024621 - Invalid \'literal\' tag used in MantisCoreFormatting language strings #0030283
* installation - admin/check.php script says upload_max_size but actually checks upload_max_filesize #0030428 - Drop support for PHP 5.x #0025956 - Increase minimum PHP requirement to 7.2.5 #0027840 - MSSQL blocking error during installation. #0029511
* javascript - list.js library causing CSP violation in manage_proj_edit_page.php [#0030490] - list.js navigation buttons scrolling to top of page #0030494
* ldap - Can\'t set a custom field for ldap email #0029230
* localization - Incorrectly configured saraiki language #0028861 - Incorrectly configured serbo-croatian #0028860 - Missing language codes in browser\'s auto map #0028668 - New Hindi Language Translation #0028648 - String optimizations for English language #0028905 - Translation in Espéranto #0008664
* markdown - Markdown markup should be done with CSS classes, not inline styles #0022190
* other - function gpc_set_cookie() ignores $p_httponly argument #0029027
* performance - Improve performance of user_pref_clear_invalid_project_default() #0028120 - Issue view page timeouts or inefficient for issues with large number of notes and attachments #0032244 - Only load dynamic CSS status_config.php when necessary #0030773
* plug-ins - Event on access level modifications #0026998 - Hook for Custom field on bug_change_status_page #0031666 - Unknown named parameter $files #0033058
* relationships - Wrong html syntax #0029903
* security - Printing #0025492 - Use PHP random_bytes() instead of our custom crypto_generate_random_string function #0032900
* tagging - Wrong display of tag filter #0032811
* tools - Enable PHP 8.1 builds on Travis-CI #0029882 - Error when executing the complete PHPUnit test suite with AllTests.php [#0032815] - New build script to download updated font files #0028964 - Refactor and improve output of \'test_langs.php\' admin script #0027383 - TravisCI \' /usr/sbin/sendmail: not found\' error after successful test execution #0032828 - Ugrade to PHPUnit 8.5 and adapt test suite #0032810 - Use phpunit.xml to define Test Suites #0032816
* ui - Add hash to MantisBT CSS files to force browser cache update #0026148 - Bugnotes links tilde \' ~\' sign rendered as dash \'-\' in View page #0022109 - Buttons\' vertical size is slightly smaller than other form elements #0030550 - Long unbreakable text does not auto wrap in bug details page #0027114 - Manage Project Edit page should redirect to relevant section after updates #0030435 - Move Delete buttons into main form #0027274 - \"pinning\" an issue calls for not CSS code in view_all_inc.php #0031944 - progress bar on the title bar #0028182 - Regroup the 2 Subprojects sections on Manage Project Edit page #0030423 - Removing vertical lines in tabular presentation to reduce clutter #0028826 - Text Custom Field columns should be left-aligned #0030279 - Visually align the 1st column\'s width in manage_user_proj_delete.php #0028124
* upgrade - Improve handling of unserialize->json conversion during upgrade #0028918
* wiki - Support for WackoWiki #0022371
* Tue Apr 25 2023 Johannes Weberhofer - MantisBT 2.25.7
* bugtracker - Ampersand in $g_search_title prevents adding search engine #0032076 - Getting Undefined index: target_version when viewing bug #0032353 - IssueViewPageCommand.php line 135: \'Undefined array key \"version\" with php 8.1.16 #0032086
* email - new PHPMailer() is created for every outgoing email #0030127
* performance - access_project_array_filter can lead to many SQL requests #0032131
* plug-ins - EVENT_LOG can produce stack overflow when LOG_DATABASE is enabled #0032243- MantisBT 2.25.6 Security and maintenance release addressing an information disclosure issue (CVE-2023-22476), with thanks to d3vpoo1 for identifying and responsibly reporting it, as well as a vulnerability in bundled moment.js library (CVE-2022-31129). This release also resolves over 20 issues including several PHP 8.x compatibility fixes. All installations are strongly advised to upgrade as soon as possible.
* api rest - Update Slim Framework to 3.12.4 #0030841
* bugtracker - Browser extensions may trigger automatic bug monitoring #0030922 - config_flush_cache() doesn\'t clean the eval cache for individual options #0030793 - Date conversion fails when editing a project version using a non-US date format #0031836 - Product Version / Target Version - Date missing #0031889 - Remove \"sponsorship_total\" from columns default #0032037
* code cleanup - PHP 8.1 deprecated warnings #0031712
* documentation - Missing columns on $g_view_issues_page_columns documentation #0022238
* installation - Creation of dynamic properies is deprecated in PHP 8.2 #0031943
* ldap - Deprecated conversion of false to array in ldap_api.php with PHP 8.1 #0030790 - Editing user with use_ldap_email = ON empties email address #0024720 - Poor error handling when $g_login_method = LDAP and PHP extension missing #0030771
* markdown - URLs should only be converted to links when process_url is ON #0030918
* other - Upcoming incompatibility with PHP 8.2, \"Deprecate ${} string interpolation\" RFC #0030429
* plug-ins - XML import: Undefined property warning when importing bug notes #0031876
* reports - Graphviz logs syntax error in line xx near \';\' #0031827
* security - Allow adding relation type noopener/noreferrer to outgoing links #0030791 - CVE-2023-22476: Private issue summary disclosure #0031086 - Update moment.js to 2.29.4 #0030772
* signup - Captcha audio not working #0030814 - Captcha image not showing on PHP 8.1 #0030794
* tagging - Undefined constants TAG_NOT_ATTACHED + TAG_ALREADY_ATTACHED in tag_api.php #0031159
* ui - Status color boxes shown in black on bug_relationship_graph.php #0031829 - unreachable submit button #0030835
* upgrade - Scalar typehint is not supported in PHP 5.x #0030777
* Sun Nov 06 2022 Johannes Weberhofer - MantisBT 2.25.5 Security and maintenance release
* security - CVE-2022-33910: Unrestricted SVG File Upload leads to CSS Injection - CVE-2022-33910: Stored XSS via SVG file upload - Wrong bugnote_user_edit_threshold value used when checking permissions to edit bugnote - Upgrade guzzlehttp/guzzle from 6.5.5 to 6.5.8
* authorization - APPLICATION ERROR #13 (access denied) while creating new user when threshold configured as MANAGER in administration interface - Update issue icon on \"My View\" page is displayed even without having appropriate access rights - Update issue icon on \"View Issues\" page is displayed even without having appropriate access rights
* bugtracker - Errors trying to load moment.js library from CDN - $g_path incorrectly set in config_defaults_inc.php on PHP 5.6 - PHP 5.6 support broken
* filters - Create Permalink - special characters handling
* installation - Javascript error in browser console when upgrading - Installer\'s Oracle-specific warning regarding identifiers\' length is shown initially for MySQL
* db-mssql - APPLICATION ERROR 401 Database query failed. Error received from database was #-52: SQLState: IMSSP
* documentation - Impossibility of deleting attachment with form security validation turned on
* Wed Apr 20 2022 Johannes Weberhofer - MantisBT 2.25.3 Security and maintenance release
* security - CVE-2021-43257: CSV Injection with CSV Export Feature #0029130 - CVE-2022-26144: XSS in manage_plugin_page.php and manage_plugin_uninstall.php #0029688 - Update ADOdb to 5.20.21 #0029485 - Update guzzlehttp/psr7 to 1.8.5 #0029848 - Update moment.js to 2.29.2 #0029849
* api rest - Slim Application Error when RestFault generated #0028927
* api soap - SOAP call mc_project_get_id_from_name fails when there is no matching project in PHP 7.2 #0029034
* attachments - Adding an attachment with a long filename causes \"Data too long for column \'filename\'\" application error #0029144
* bugtracker - Constant FILTER_SANITIZE_STRING is deprecated #0029845 - \'format_issue_summary\' custom function not called from View Issue Details page #0029181 - Passing null to parameter of type XXX is deprecated #0029846
* custom fields - APPLICATION ERROR 1300 Custom field not found with case-sensitive database #0029413
* installation - Unable to install #0029462
* ui - Missing closing div tag causes incorrect page footer display #0029416
* Mon Jun 21 2021 Johannes Weberhofer - MantisBT 2.25.2
* CVE-2021-33557: XSS in manage_custom_field_edit_page.php
* PHP 8: \"Bad Request\" error on custom field filters
* Update PHPMailer to 6.5.0
* Thu May 20 2021 Johannes Weberhofer - MantisBT 2.25.1
* administration - Error removing project #0028106
* plug-ins - Bundled plugins 2.25.0: incorrect Mantis requirement #0028076
* security - Update PHPMailer to 6.4.1 (fixes CVE-2020-36326) #0028530
* ui - Incorrect spacing between icon and text on manage_user_edit_page.php [#0028112] - Labels for email notifications in User Prefs page appear in bold [#0028084] - Project Edit Page does not display check boxes #0028082 - Unsightly vertical offset of the \"Update Prefs\" and \"Reset Prefs\" buttons. #0028080
* Mon Mar 08 2021 Johannes Weberhofer - MantisBT 2.25.0 This feature and maintenance release contains over 100 fixes and enhancements; among many other things, it improves PHP 8 compatibility, LDAP authentication and invalid plugins management. It also includes a schema change, so do not forget to upgrade the database as documented in the Admin Guide. Please note that this will be the last release supporting PHP 5;
* administration - \"Add Version\" without entering a version number outputs \"Operation successful\" though no version has actually been added #0027994 - Attachment settings not available on \"Workflow Thresholds\" page [#0026892] - Issue revision settings not available on \"Workflow Thresholds\" page [#0027817] - Manage user page table footer is displayed even when empty #0027387 - Misleading e-mail notification following password reset by admin [#0026884] - PHP warning in config_get_global #0026798 - Some config options can be set in database, but should be configurable just in config_inc.php #0027884 - SQL syntax error on manage_user_page #0027117 - Sticky setting not available on \"Workflow Thresholds\" page #0027463 - When deleting a project, there should be information of how many (if any) issues are affected #0027768
* api rest - /config REST API endpoint reports users as not found when they exist [#0026891] - Errors in API documentation #0026481 - Incorrect documentation for tags #0027969 - REST API update issue triggers errors if payload is empty #0027973 - Upgrade guzzlehttp/guzzle from 6.5.2 to 6.5.5 #0026919
* api soap - mc_issue_update() throws system warning when Project not specified in IssueData #0027981
* attachments - Improve pop-up description for file icons #0027827
* authentication - Username regex is too strict by default #0026811
* authorization - reporter allowed to close #0026920
* bugtracker - Admin check always has \"WARN\" for magic_quotes checks (PHP 7.4) [#0026964] - Allow printing of standard confirmation alerts without buttons [#0027242] - bugnote_clear_cache() does not work properly #0027217 - clickable summaries in view issues page #0008066 - It is not possible to clear the Default Profile #0027257 - Profile-related operations lack confirmations #0027259 - Refactor Profiles management pages to display a list of records [#0027256] - Standardize on IEEE 1541 units (KiB, MiB) for file sizes #0027700 - Update securimage to 3.6.8 #0027155
* change log - No hyperlinks in Changelog and Roadmap release notes #0027839
* code cleanup - Code cleanup around User/Global Profiles #0027258 - Convert Project and User Pref APIs to use DbQuery class #0027145 - Data integrity: ensure users\' default_project preference is a valid project #0027144 - Error handlers use deprecated context parameter #0027703 - Implement ConfigsGetCommand and use from REST API #0026889 - Implement LocalizedStringsGetCommand and use from REST API #0026890 - Move release scripts to main repository #0026903 - New API function to get User Id by cookie string #0028002 - PHP notice in manage_user_edit_page.php when given invalid user id [#0027573] - Refactor printing of project selection menus #0026888 - Remove obsolete \'posted\' form param when reporting new issue #0027575 - Remove Project Info page #0027802 - Remove unused and regroup duplicated language strings #0027298 - Remove unused bug_monitor_list_view_inc.php file #0026962 - Standardize access of option database_version #0026821 - System notice in lang_error_handler #0027701 - Unneeded code for option display_project_padding #0027833 - Use user_is_login_request_allowed() instead of duplicating the logic [#0026930]
* custom fields - Custom date field with default value left blank even when field is required #0027914 - Custom fields with comma can\'t be used in Manage Config Columns page [#0026665] - Incorrect error message when reporting issue with a custom field failing validation #0027576 - Remove need to use {} for dynamic dates in custom fields default value #0027956 - Validate date custom fields default value format #0027950
* db mssql - Update ADOdb to 5.20.20 #0026837
* db postgresql - PHP 8.0 PostgreSQL builds fail due to deprecated pg_fieldsize() function #0027830
* db schema - Email field in mantis_email_table is shorter than user email in mantis_user_table #0027982
* documentation - Admin Guide has various broken links, obsolete info, etc. #0026617 - Fix discrepancies in documentation for $g_display_errors #0027300 - Host the Example Plugin from the Developers Guide in a repository in mantisbt-plugins organization #0027993 - Improve Custom Fields documentation #0027983 - Out of the box Mantis does not display either a Dependancy or Relationship Graph #0027584 - Remove helper_alternate_class() calls from Developers Guide and document alternative #0027992 - REST API documentation #0025998
* email - Enable S/MIME signed e-mail notifications #0025764
* filters - Preserving filters does not work correctly on sub-sub-projects [#0027129] - search field at project-selection is not working anymore #0027375
* html - Standardize the way fontawesome icons are printed #0027828
* installation - Required PHP json extension not documented and checked #0026974
* installation] Sourceforge [admin/test_langs.php - File missing from installation packages ( mantisbt-2.24.3.zip & mantisbt-2.24.3.tar.gz) #0027362
* installation - Using an empty timezone causes PHP notice on PHP 8 #0027796
* javascript - MantisGraph: stop using chart.js bundled build #0027123
* ldap - Add STARTTLS Support to LDAP #0015361 - Changed default $g_ldap_protocol_version from 0 to 3. #0027848 - LDAP configuration options can be set in database #0026822 - LDAP server must be specified as an URI #0027849
* localization - Confusing message when selecting a project to enter an issue #0011463 - Improve handling of missing language strings #0027241
* other - Upgrade release build scripts to Python3 #0027384
* performance - Non visible image previews are transferred from server to client [#0027150]
* plug-ins - 3rd-party plugins cannot use chart.js library bundled with MantisGraph #0027122 - Admin checks should detect invalid / incorrectly installed plugins [#0026143] - Create cronjob script and plugin event #0027882 - Force-installed plugins are not registered in order of priority [#0027302] - Improve handling of invalid / incorrectly installed plugins #0026142 - MantisGraph: update Chart.js library to v2.9.3 #0027124 - Plugin_force_uninstall is not declared #0012961 - Tag attach group action doesn\'t trigger EVENT_TAG_ATTACHED #0027881 - Validate plugin folder name and name match during setup #0017487
* preferences - issue report TOO_MANY_REDIRECTS #0026988 - Non existing field name os_version used where os_build should be used [#0026840]
* printing - Viewer does not get Selection column in View Issues or Print Reports lists #0026839
* security - Printing unsanitized user input in account_prof_edit_page.php #0027853 - Update PHPMailer to 6.3.0 #0027118
* sql - Error in bug_api.php when UPDATEing a bug #0027113
* sub-projects - Project Menu Bar does not indent subprojects properly #0026887
* time tracking - User list in time tracking summary is not sorted #0027005
* tools - TravisCI: add PHP 8.0 to tests, and switch to bionic build environment #0027829
* ui - Confusing redirection when editing profiles #0027260 - Horizontal rules (
tag) are nearly invisible #0027978 - Inconsistent form input labels\' font size when HTML label element is used #0027958 - Left-align the Send Reminder textarea #0027972 - Manage users edit page: inconsistent spacing between sections #0027574 - \"Move\" functionality offered for users that have just access to a single project #0026861 - Questionable UI / button on \"Edit Project Category\" page #0027808 - Upgrade to fontawesome version 4.7.0 #0026823 - Username field in Monitor box triggers password managers #0026963 - Wrong page position after bugnote add/edit #0027160
* Mon Jan 18 2021 Johannes Weberhofer - MantisBT 2.24.4: Security and maintenance release, addressing 6 CVEs: an XSS issue, an SQL injection in the SOAP API and several information disclosure issues including a critical one allowing full access to private issues\' contents. All installations are strongly advised to upgrade as soon as possible. This release also includes a few PHP 8.0 compatibility fixes, including a major one causing an access denied error for all users when updating issues.
* Attacker can leak private information via different functionality - CVE-2020-29604: Full disclosure of private issue contents, including bugnotes and attachments - CVE-2020-29605: Disclosure of private issue summary - CVE-2020-29603: Disclosure of private project name
* Private category can be access/used by a non member of a private project (IDOR)
* CVE-2020-35571: XSS in helper_ensure_confirmed() calls
* User Account - Takeover
* Fixed in version can be changed to a version that doesn\'t exist
* When updating an issue, a Viewer user can be set as Reporter
* CVE-2020-35849: Revisions allow viewing private bugnotes id and summary
* CVE-2020-28413: SQL injection in the parameter \"access\" on the mc_project_get_users function throught the API SOAP.
* inconsistent UI for view bugnote revision
* Printing unsanitized user input in install.php
* print_manage_user_sort_link Function Parameter Required after Optional
* Declaring a required parameter after an optional one is deprecated in PHP 8
* Javascript error in View Issues page
* Adapt Error handler to PHP 8
* Impossible to edit issues with PHP8
* Sat Sep 26 2020 Andreas Stieger - MantisBT 2.24.3:
* CVE-2020-25781: Access to private bug note attachments
* Admin can get issues assigned to users not allowed to handle them
* CVE-2020-25288: HTML Injection on bug_update_page.php
* Send reminder to viewer
* Admin can set viewer as a tag creator
* Priority can override to any positive integer
* Remove code duplication in File API
* When processing categories, it is not necessary to know the project id
* CVE-2020-25830: HTML Injection in bug_actiongroup_page.php
* Tue Aug 11 2020 Andreas Stieger - MantisBT 2.24.2:
* CVE-2020-16266: HTML injection (maybe XSS) via custom field on view_all_bug_page.php
* update PHPMailer from 6.1.4 to 6.1.6- MantisBT 2.24.1:
* security - APIs expose private attachments to users who has access to issue but not private notes - file_get_visible_attachments shows private files that should be invisible to the user
* various bug fixes and improvements
  
ICM